AS3, jQuery, Web/Game Dev, & Other Nerdery

Tags: AMFPHP

This is a little tutorial covering using ActionScript 3, PHP and AMFPHP to create a MySQL-based High Score Database. You should have some familiarity with each as this isn’t exactly a “Beginner’s How-To.” For a recent game project I’ve been working on, one of the requirements was a simple High Score Database. After finishing it, I thought I’d post about how I went about coding it. Let’s jump right in with the ActionScript first… So from the game’s .as files, the idea was to display a DataGrid that shows all the scores submitted to the database. I also wanted to create a ScoresDB class that handles all of my database calls and parses the database results, all ready to be added to the DataGrid. So that we’re all on the same page, Main.as will refer to the main class that handles adding the DataGrid to the stage, and handles other game functions. ScoresDB.as will refer to the ScoresDB class that handles the AMFPHP/PHP/MySQL calls. HighScore.php will refer to the AMFPHP Service that actually interacts with the MySQL database and returns result sets.

I decided to split the original blog post into two separate posts as “Secure” Flash/MySQL DB calls is fairly short, and it was scattered about in a post more on how to set up a High Score DB with AMFPHP. So this will be a couple of very specific tips and things to set up when adding any sort of user-entered data from flash ( or PHP! ) to touch your database. You know the rule… never trust any data. Always make sure you strictly data type variables and typecast user-entered variables. First up, as the user enters data into Flash, via an input TextField, use the .restrict setter to restrict characters entered to only characters that you need. This is the first layer of protection against SQL injection attacks , and just follows the same sort of common sense “best practices” type of coding as datatyping variables. nameInputTxt.restrict = "A-Z a-z 0-9"; This will restrict the characters allowed in this textField to only alpha-numeric, capitals and lower case. This excludes potential Injection-prone characters like the single apostrophe ” ‘ ” and semi-colon ” ; ” keys. After that data gets entered, we’re going to send those variables thru AMFPHP into our PHP Class. In the case of our High Scores Database example, we’re sending both the nameInputTxt data, as well as an integer based score value which gets handled by the following PHP code: function addScore( $pName , $pScore ) { $created = date( "Y-m-d H:i:s"); $cleanName = mysql_real_escape_string( $pName ); $cleanScore = intval( $pScore ); return mysql_query( "INSERT INTO $this-&amp;amp;amp;gt;table SET `name` = '{$cleanName}' , `score` = $cleanScore , `created` = '{$created}' "); } You’ll see the $cleanName and $cleanScore variables a couple of lines into the function. For String type user-entered data, always run it through PHP’s mysql_real_escape_string() […]